<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<link rel="stylesheet" type="text/css" href="stdStyle.css"/>
</head>
<body class="body">

<h1>Protecting against malware</h1>

<table class="info">
<tr><td>
The type of logger FRDL will download from appears to Windows
exactly like an ordinary memory stick.</td>
<td><img src="icon_info.png" width="100" height="100" alt="Info" valign="top"></td></tr>
</table>
<p>
Microsoft, by trying to make make things 
'simple' - meaning 'automatic', means hackers have
found a very simple way to spread their Viruses, Trojans and Worms 
about on memory sticks by exploiting the way Windows looks at 
them when they are first plugged in.
<p>
These worms pretty much all reproduce the same way, they have 
an AUTORUN.INF file and an executable of some kind. When 
you put the stick in the PC, Windows finds AUTORUN.INF 
'automagically' and executes the instructions it contains. 
<p>
An infected AUTORUN.INF will either run the executable
immediately, or modify the Windows Explorer default behaviour 
so that the worm will run as soon as you open the stick 
by double-clicking on it. The executable will make a copy 
of itself and AUTORUN.INF on all the disk partitions and 
shared drive connections which it can see, and then open 
the root folder normally. (This takes a fraction of a 
second, so you won't notice it.) The executable will 
then sit around in memory and every time you insert a 
removable storage volume (such as another memory stick) 
or map a network drive, it will copy the worm 'kit' to it.
<p>
Sometimes the executable will live in a fake \RECYCLED 
folder, which is quite clever because hardly anyone ever 
opens the recycle bin on a memory stick, and because the 
folder doesn't contain a real recycle bin structure, the 
worm will be safe, even if you empty the bin while the 
stick is in the drive.

<h2>FRDL defence</h2>

When FRDL recognizes a logger has been plugged in, the
first thing it does is delete any AUTORUN.INF file it finds.  It
then creates a new <i>folder</i> called AUTORUN.INF. This should prevent
most worms/viruses from creating a file of the same name, because 
when the worm sets out to create this file, it will probably use 
Windows file system methods which either delete, or truncate to
zero any existing regular file with that name; but those methods
don't work for folders.
<p>
This simple method should protect against most AUTORUN.INF attacks
and means that any logger which has just been read by FRDL is 
not infected.
<p>
<table class="warning">
<tr><td>
<b>What FRDL cannot do</b>  If a logger is already infected before it is inserted into a computer, then
it will already be too late by the time FRDL gets to it because Auto-play
will already have read the infected AUTORUN.INF file and executed its dastardly deed.</td>
<td><img src="icon_warning.png" width="100" height="100" alt="Warning" valign="top"></td></tr>
</table>

<h2>Solutions</h2>

Whatever happens, you should have some good anti-virus software running.
<p>
Holding down the shift key when you insert a logger or memory stick will 
prevent Auto-play from running.
<p>
You can find plenty of advice online which says "<I>in Windows Explorer, 
right click drive, Properties, Autoplay tab, select an action and set 
to None.</I>".  You can also find just as much advice that this is not 
very reliable.
<p>
Microsoft has a free add-on called Tweak-UI which apparently is quite good, 
but it only stops Auto-play, not Auto-run which is an older version of 
the same thing.

<h2>A permanent Solution</h2>

This is a permanent solution which will protect you against all 
attacks of this type from loggers and memory sticks and all other 
devices which are seen by Windows as 'removable media'.
<p>
By using this procedure, then once you have done it, if you insert a CD
with software on it, you have to explore it manually 
to find the setup program, but CD audio, DVD Video Etc. 
will all still work as before.
<p>
All you do is:
<ol>
<li>Copy the three lines of code below into a text editor like Notepad.
<li>Save it as a file called <B>NOAUTRUN.REG</B> (or anything.REG).
<li>Double-click on the file.
</ol>
<code>
REGEDIT4<BR>
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]<BR>
@="@SYS:DoesNotExist"<BR>
</code>
<p>
This tells Windows to treat AUTORUN.INF as if it were a 
configuration file from a pre-Windows 95 application. 
<p>
<i>IniFileMapping</i> is a key which tells Windows how to
handle the .INI files which those applications typically 
used to store their configuration data. In this case it 
says "<I>whenever you have to handle a file called 
AUTORUN.INF, don't use the values 
from the file. You'll find alternative values at 
HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist.</I>" And since 
that key does not exist, it's as if AUTORUN.INF 
is completely empty, and so nothing autoruns, and 
nothing is added to the Explorer double-click action. 
<p>

<table class="good">
<tr><td>
<b>Result:</b> worms cannot get in - unless you start
double-clicking executables to see what they do,
in which case, you deserve to have your PC infected.</td>
<td><img src="icon_good.png" width="100" height="100" alt="Good" valign="top"></td></tr>
</table>

Credit to <B>http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html</B> 
for this solution.


</body>
</html>
